LDAP - SPC-OCA-10490: Could not connect to the external authentication server

book

Article ID: 221378

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

Some users are getting the below error message:

  • 04/08/2021 18:24:01 - SPC-OCA-10598: User username attempted to logon to browser page from host 10.xx.yy.zz (10.xx.yy.zz) but authorization failed with error: SPC-OCA-10490: Could not connect to the external authentication server.

I enable Debug as described  below URL:

Error when testing Spectrum OneClick integration with LDAP

https://knowledge.broadcom.com/external/article?articleId=185817

After enabling "SSORB Security SP" I got found messages into "catalina.out":

Aug 04, 2021 18:24:01.765 (https-jsse-nio-8443-exec-15) (SecuritySP) - -------- mgmoreno --------
Aug 04, 2021 18:24:01.765 (https-jsse-nio-8443-exec-15) (SecuritySP) - IN getUserRoles for username
Aug 04, 2021 18:24:01.765 (https-jsse-nio-8443-exec-15) (SecuritySP) - Getting user model for username
Aug 04, 2021 18:24:01.765 (https-jsse-nio-8443-exec-15) (SecuritySP) - Getting user model by filter from admin domain oneclicksrv
Aug 04, 2021 18:24:01.767 (https-jsse-nio-8443-exec-15) (SecuritySP) - Got user model: 0x1058d4e
Aug 04, 2021 18:24:01.767 (https-jsse-nio-8443-exec-15) (SecuritySP) - superUser: union com.aprisma.spectrum.core.idl.CsCAttribute.CsCValue {
boolean boolValue=false
}, allowNoUser: union com.aprisma.spectrum.core.idl.CsCAttribute.CsCValue {
boolean boolValue=false
}
Aug 04, 2021 18:24:01.767 (https-jsse-nio-8443-exec-15) (SecuritySP) - User username is neither a super user nor an allowed user to login Spectrum
Aug 04, 2021 18:24:01.767 (https-jsse-nio-8443-exec-15) (SecuritySP) - Authenticating user with external directory server: username
Aug 04, 2021 18:24:01.767 (https-jsse-nio-8443-exec-15) (SecuritySP) - Opening directory context
Aug 04, 2021 18:24:01.767 (https-jsse-nio-8443-exec-15) (SecuritySP) -     connectionURL ldap://ldapserver.domain.com:636
Aug 04, 2021 18:24:01.767 (https-jsse-nio-8443-exec-15) (SecuritySP) -     protocol ssl
Aug 04, 2021 18:24:01.767 (https-jsse-nio-8443-exec-15) (SecuritySP) -     referrals follow
Aug 04, 2021 18:24:01.767 (https-jsse-nio-8443-exec-15) (SecuritySP) -     timeoutPeriod in milliseconds 5000
Aug 04, 2021 18:24:01.768 (https-jsse-nio-8443-exec-15) (SecuritySP) -     readTimeoutPeriod in milliseconds 5000
Aug 04, 2021 18:24:01.773 - Connection Exception: javax.naming.CommunicationException: ldapserver.domain.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
Aug 04, 2021 18:24:01.773 - Connection problem: javax.naming.CommunicationException: SPC-OCA-10490: Could not connect to the external authentication server.
Aug 04, 2021 18:24:01.773 (https-jsse-nio-8443-exec-15) (SecuritySP) - Getting user model by filter from admin domain oneclicksrv
Aug 04, 2021 18:24:01.774 (https-jsse-nio-8443-exec-15) (SecuritySP) - checking password attribute on com.apris[email protected]718c08f3
Aug 04, 2021 18:24:01.775 (https-jsse-nio-8443-exec-15) (SecuritySP) - got password attribute
Aug 04, 2021 18:24:01.775 (https-jsse-nio-8443-exec-15) (SecuritySP) - retrievedPass : union com.aprisma.spectrum.core.idl.CsCAttribute.CsCValue {
byte[] taggedOctetString={-99,1,0,37,67,1,0,6,0,0,0,32,0,0,0,90,-19,15,112,5,123,-24,39,87,-125,92,55,111,-104,55,-35,56,-51,60,103,-57,13,4,-90,27,121,69,-25,113,54,113,-75}
}
Aug 04, 2021 18:24:01.775 (https-jsse-nio-8443-exec-15) (SecuritySP) - newPass SHA256 : union com.aprisma.spectrum.core.idl.CsCAttribute.CsCValue {
byte[] taggedOctetString={-99,1,0,37,67,1,0,6,0,0,0,32,0,0,0,32,-73,-22,93,95,59,79,-45,-54,79,-7,32,-102,-113,-55,115,67,11,-116,-32,-28,-65,55,42,4,-118,-124,-63,-107,-74,-89,-65}
}
Aug 04, 2021 18:24:01.775 (https-jsse-nio-8443-exec-15) (SecuritySP) - newPass SHA1 : union com.aprisma.spectrum.core.idl.CsCAttribute.CsCValue {
byte[] taggedOctetString={-99,1,0,37,67,1,0,4,0,0,0,20,0,0,0,16,-81,-11,-58,39,-97,-22,-82,14,-44,-6,-32,44,-52,-72,-48,127,-51,94,22}
}
Aug 04, 2021 18:24:01.775 (https-jsse-nio-8443-exec-15) (SecuritySP) - oldPass union com.aprisma.spectrum.core.idl.CsCAttribute.CsCValue {
byte[] taggedOctetString={-99,1,0,37,67,1,0,3,0,0,0,16,0,0,0,58,77,1,24,-87,52,90,-37,107,-125,121,-26,111,-36,-75,-113}
}
Aug 04, 2021 18:24:01.775 (https-jsse-nio-8443-exec-15) (SecuritySP) - password didn't match

Cause

A chain (root) certificate from the Certificate Authority must also exist in the keystore (cacerts file). By default, OneClick includes chain certificates from many popular vendors.

In the cacerts file of the 101 and 102 hosts, there are only a few entries, 4 and 6 respectively. It looks like someone had cleaned up the cacerts file in the past.

In the cacerts file of the 103 host, there are 107 entries.

 /c/win32app/Spectrum/Java/bin
$ keytool -v -list -keystore ../../custom/keystore/cacerts_from_101 -storepass changeit | grep contains
Your keystore contains 4 entries

 /c/win32app/Spectrum/Java/bin
$ keytool -v -list -keystore ../../custom/keystore/cacerts_from_102 -storepass changeit | grep contains
Your keystore contains 6 entries

 /c/win32app/Spectrum/Java/bin
$ keytool -v -list -keystore ../../custom/keystore/cacerts_from_103 -storepass changeit | grep contains
Your keystore contains 107 entries

Environment

Release : 20.2

Component : OneClick

Resolution

These are the steps we performed to resolve the issue:

1. Renamed the existing $SPECROOT/custom/keystore/cacerts file.

2. Copy the $SPECROOT/Java/jre/lib/security/cacerts file to the $SPECROOT/custom/keystore/ directory.

3. Generate a private self-signed certificate in the custom cacerts file by issuing the following command:
./keytool -genkey -alias tomcatssl -keyalg RSA -validity 360 -keystore ../../custom/keystore/cacerts

4. Imported the Certificate Authority-signed SSL certificate into the keystore used by LDAPS integration.

5. Bounced the Tomcat service

6. Successfully ran the LDAP test login.